CVE-2026-42745

Smart Online Order for Clover <= 1.6.0 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.6.1
Patched in
5d
Time to patch

Description

The Smart Online Order for Clover plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.6.0. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.6.0
PublishedMay 28, 2026
Last updatedJune 2, 2026
Affected pluginclover-online-orders

What Changed in the Fix

Changes introduced in v1.6.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-42745 (Smart Online Order for Clover) ## 1. Vulnerability Summary The **Smart Online Order for Clover** plugin for WordPress (versions <= 1.6.0) is vulnerable to **Missing Authorization**. Several REST API endpoints and administrative functions lack proper cap…

Show full research plan

Exploitation Research Plan: CVE-2026-42745 (Smart Online Order for Clover)

1. Vulnerability Summary

The Smart Online Order for Clover plugin for WordPress (versions <= 1.6.0) is vulnerable to Missing Authorization. Several REST API endpoints and administrative functions lack proper capability checks (current_user_can). Specifically, the plugin's REST API, defined in includes/moo-OnlineOrders-Restapi.php, registers multiple routes with permission_callback set to __return_true, making them accessible to unauthenticated attackers. This allows unauthorized modification of product visibility, stock status, and potentially plugin settings.

2. Attack Vector Analysis

  • Endpoint: /wp-json/moo-clover/v1/sync/update_item (inferred from SyncRoutes registration) or admin-ajax.php.
  • Primary Target: Product status modification (Hiding items, marking as Out of Stock).
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active and connected to a Clover merchant account (to have items in the database).
  • Payload: JSON or POST parameters containing item UUIDs and the desired status.

3. Code Flow

  1. Entry Point: A request is made to the REST API namespace moo-clover/v1.
  2. Registration: In includes/moo-OnlineOrders-Restapi.php, routes are
Research Findings
Static analysis — not yet PoC-verified

Summary

The Smart Online Order for Clover plugin for WordPress (up to 1.6.0) is vulnerable to unauthorized access because it fails to implement capability checks on several REST API endpoints. This allows unauthenticated attackers to perform unauthorized actions, such as modifying product visibility, synchronization settings, and stock status, by accessing endpoints where the permission callback is incorrectly set to always return true.

Vulnerable Code

// includes/moo-OnlineOrders-Restapi.php

    public function register_routes() {

        //register v2 routes

        $this->syncRoutes->register_routes();
        $this->dashRoutes->register_routes();
        $this->customersRoutes->register_routes();
        $this->checkoutRoutes->register_routes();

        //get categories route
        register_rest_route( $this->namespace, '/categories', array(
            array(
                'methods'   => 'GET',
                'callback'  => array( $this, 'getCategories' ),
                'permission_callback' => '__return_true'
            )
        ) );

        //get items per category route
        register_rest_route( $this->namespace, '/categories/(?P<cat_id>[a-zA-Z0-9-]+)/items', array(
            array(
                'methods'   => 'GET',
                'callback'  => array( $this, 'getItemsPerCategory' ),
                'permission_callback' => '__return_true'
            )
        ) );

Security Fix

--- includes/moo-OnlineOrders-Restapi.php
+++ includes/moo-OnlineOrders-Restapi.php
@@ -194,7 +194,7 @@
             array(
                 'methods'   => 'GET',
                 'callback'  => array( $this, 'getCategories' ),
-                'permission_callback' => '__return_true'
+                'permission_callback' => function() { return current_user_can( 'manage_options' ); }
             )
         ) );
 
@@ -203,7 +203,7 @@
             array(
                 'methods'   => 'GET',
                 'callback'  => array( $this, 'getItemsPerCategory' ),
-                'permission_callback' => '__return_true'
+                'permission_callback' => function() { return current_user_can( 'manage_options' ); }
             )
         ) );

Exploit Outline

An unauthenticated attacker can target sensitive REST API endpoints under the '/wp-json/moo-clover/v1/' namespace. By identifying endpoints registered within classes like SyncRoutes or DashboardRoutes (e.g., '/sync/update_item'), an attacker can send a POST request containing specific item UUIDs and desired status values. Because these endpoints use '__return_true' for their permission_callback, the plugin processes the request without verifying the sender's identity or permissions, allowing for unauthorized modifications to product visibility and store settings.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.